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Digital Testing Device 
Field of the Invention 

The present invention relates to a digital testing device, and more particularly but not 
exclusively to a digital testing device and method for use in the data communications and 
telecommunications fields. 

Background of the Invention 
Modern telecommunications systems are generally constructed of various elements capable 
of data processing and data communication support. The various elements may be interlinked 
in order to establish reliable data flow between the elements and in order to guarantee proper 
harmonic operation as one complete system. In passing through such systems digital data can 
be put through numerous complex processes, each using numerous protocols. For example, in 
digital communications, switching, modulating, encoding, decoding and numerous other 
operations are needed. Each operation involves a different algorithm or protocol or series 
thereof that must be thoroughly tested. The protocols may be standard protocols or they may be 
proprietary protocols unique to the equipment manufacturer. Frequently the manufacturer uses 
an in-house modification of a standard protocol. In general, each different protocol or group of 
similar protocols requires a different test device, and often even minor variations of the 
algorithm may require the use of a different device. A single communication system may 
combine equipment of several manufacturers. It may thus require numerous test devices and be 
very difficult to test. Furthermore, the different test devices generally do not work together and 
thus test of integrated scenarios is generally not possible. 

Manufacturers find the use of proprietary algorithms helpful, however, one of the 
disadvantages of using such an algorithm is that time to market is delayed whilst a suitable test 
device can be designed and perfected. 

In addition, data links occasionally make use of security algorithms such as encryption 
systems, which need to be safeguarded, and some manufacturers may wish to keep their 
proprietary algorithms secret. 
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Summary Of The Invention 

In accordance with a first aspect of the present invention there is provided a digital testing 
device comprising: at least one data interface, a plurality of predetermined protocols, a protocol 
selector for selecting any combination of said protocols to operate on said digital data, and an 
output for outputting results of applying said digital data to said selected protocols. 

According to a second aspect of the present invention there is provided a digital testing 
device comprising: at least one data interface, a user interface, a protocol constructor operable 
to accept data from said user interface and to construct a protocol in accordance therewith, said 
protocol being able to operate on said digital data, and an output for outputting results of 
applying said digital data to said selected protocols. 

According to a third aspect of the present invention there is provided a digital testing device 
comprising, at least one data interface, a plurality of predetermined protocols, a user interface, a 
protocol constructor operable to accept data from said user interface and to construct an 
additional protocol in accordance therewith, said protocol being able to operate on said digital 
data, a protocol selector for selecting any combination of said protocols to operate on said 
digital data and an output for outputting results of applying said digital data to said selected 
protocols.. 

A fourth aspect of the present invention comprises a digital simulation device which 
comprises the protocols, a protocol constructor, the user interface, a protocol selector and the 
output. Instead data is produced automatically within the device itself and sent via the interface 

Preferably, the digital data is the output of all or part of a communications device. The 
device may be comprised within a computer. The output may comprise a configurable data 
protocol which may be set to find points of interest in the data under test. The input may 
comprise a selectable one of a plurality of device interfaces. The device interfaces are 
preferably designed with specific digital equipment in mind and may be operable to hide 
characteristics of the equipment from the device. Means are provided for enabling the user to 
generate new device interfaces or to configure existing device interfaces. 

Embodiments of the invention are operable with any digital data. 

The protocols referred to above preferably synthesize the data format of various 
communication protocols as used in communications engineering. 

The protocols are preferably descendant objects of a protocol-independent parent object, 
which may alternatively be referred to as a virtual protocol. The protocol-independent parent 
object is preferably operable to support processing of data according to any predefined protocol, 
which may be a descendant object thereof. Th$ algorithm-independent parent object may 
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support certain desirable features such as smart filtering, triggering and simulation operations, 
which enhance testing ability. The protocols may be templates for arranging incoming data into 
the data field and packet format of any predetermined protocol or other communication 
algorithm. 

The protocol constructor preferably comprises a bank of predefined protocol substeps 
represented by visual items in the user interface, individually selectable by a user through said 
user interface to build a protocol. 

The specific device interfaces referred to above are preferably represented by visual items in 
the user interface, individually selectable by a user through said user interface. 

Embodiments of the invention may thus provide a multi-interface, multi-protocol analyzer 
and simulator for testing or simulating ^complex communication systems involving any standard 
or proprietary protocol. The embodiments are based on a virtual protocol model. 

In an embodiment, automatic association may be made between a given device interface and 
one of said plurality of protocols. In a further embodiment, external test devices may be 
integrated into the system using a suitably designed interface. 

Embodiments of the invention may provide a device that can test an entire 
telecommunication system comprising equipment from numerous manufacturers, using a 
plurality of ports each of which can be programmed to operate on a different protocol, and 
which can be associated logically one with the other. The device may enable a reduction in 
development time and cost. 

Brief Description of the Drawings 
For a better understanding of the invention and to show how the same may be carried into 
effect, reference is now made, purely by way of example, to the accompanying drawings, in 
which: 

Fig. 1 is a simplified diagram of a first embodiment of a device according to the invention, 
Fig. 2 is a generalized block diagram of a device according to a preferred embodiment of the 
present invention, 

Fig. 3 is a generalized layer diagram of an embodiment of the present invention, 
Fig. 4 is a generalized diagram showing in more detail the virtual protocol model core of 
Fig. 3, 

Fig. 5 is a screen view of an exemplary protocol of the kind described in Fig. 4, as seen from 
within the protocol designer, 
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Fig. 6 shows the first step in the process of designing an object for testing a proprietary 
protocol, 

Fig. 7 is a screen view showing how the user interface 26 permits selection of a prestored 

interface for the interface object, 

Fig. 8 is a screen view of available protocols including that defined in Fig. 6, 

Fig. 9 is a screen view showing a new logical channel configured with a protocol and 

physical interface, 

Fig. 10 is a tree diagram showing a tree object based on the protocol shown in Fig. 6, 

Fig. 1 1 is a screen view showing the monitor output when test data bytes arrive and fit into 

the protocol tree as shown in Fig. 10, and 

Fig. 12 is a screen view showing a capture filter for monitoring the results of the analysis of 

Fig. 11. 



Description of the Preferred Embodiments 

Reference is firstly made to Fig. 1, which is a simplified diagram of a first embodiment of a 
device according to the invention. An interface connector 10 is attachable to a 
telecommunications system unit 12 or other communication device, in such a way that it is able 
to extract data for testing. The interface connector is attached to a portable, or other, computer 
14, which carries out an analysis of the extracted data. The interface connector is simply a 
buffering device allowing data from the exchange unit 12 to reach an input port of the computer 
14. In some embodiments, buffering may not be necessary. 

The use of a general-purpose computer for carrying out the analysis of the extracted data is 
preferred but not essential. As an alternative, it is possible to use a dedicated digital device. 

Reference is now made to Fig. 2, which is a generalized block diagram of a device according 
to a preferred embodiment of the present invention. It is to be borne in mind that the invention 
does not solely encompass the device configured for use but also relates to the features of the 
device that aid easy configuration and also to the method of configuration. 

In Fig. 2, a device interface 20 provides interfacing with the equipment to be tested. The 
interface is preferably selected to be specific to the equipment and is operable to hide hardware 
features of the equipment under test from the device. 

A protocol bank 22 comprises a plurality of predefined protocols Pi...Pn, all of which are 
designed to simulate the operation, on a datastream, of a specific item of equipment. The 
relevant protocol or protocols are selected by the user through a protocol selector screen of a 
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user interface (Fig. 8 below). The user interface is preferably a visual interface; wherein 
objects to be selected by the user are generally presented as graphical icons. 

In the event that the desired protocol is not present, the device allows for the easy addition of 
new protocols. This may be done by obtaining a predefined protocol from an external source 
such as the Internet, or it may be done by use of a protocol designer (46 in Fig.3). The protocol 
designer 46 contains a bank of protocol substeps (not shown), which are preferably represented 
by icons in the user interface. The user is able to select from the substeps to build his own 
protocol PNew, as will be explained in greater detail below. The newly formed protocol is then 
available for protocol selection in the same way as the predefined protocols Pi..iV 

An output unit 32, again configurable through the user interface, filters the output data for 
interpretation by the user. User configurable filters Fi...F M are stored in a filter bank 24 and 
customization thereof will be discussed below with respect to Fig. 12. User configurable 
triggers Ti...T K , for triggering test operations and the like, are stored in a trigger bank 26 and 
are likewise customizable through the user interface. 

As will be discussed below, devices according to the present invention may run simulations 
as well as tests. Thus a bank of prestored and configurable simulations is stored in a simulation 
bank 28. 

A virtual protocol model core 30 is a parent object that encapsulates a generic description of 
a communication protocol. It is preferably able to take on the characteristics of any protocols 
and the like that are applied to it. This is because all of the protocols etc. that have been 
discussed with respect to Fig. 2 are preferably defined as descendant objects thereof, as will be 
discussed in more detail below. An advantage of such a parent descendant arrangement is that 
when a protocol is prepared and or applied by a user, it requires no compilation or 
pre-processing but rather can be used immediately. 

Reference is now made to Fig. 3, which is a generalized layer diagram of an embodiment 
of the present invention. A virtual protocol model core 40, as discussed above, is a parent 
object that encapsulates a generic description of a communication protocol. Three types of 
descendant objects of the core 40 are defined as a protocol simulator 42, a protocol analyzer 44 
and a protocol designer 46. The protocol designer allows for the definition of a new protocol 
using the user interface as discussed above. A dedicated language is preferably used in order to 
facilitate the application of the virtual protocol by which the new protocol is to be described. 
The dedicated language preferably permits the creation of any combination of protocol layers 
by applying the object-oriented concept (inheritance & encapsulation). A simple linkage 
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between protocol components can lead to the construction of a wide and complex protocol 
library, where each protocol is built from very simple protocol components. 

The user interface preferably provides a visual protocol designer utility, as mentioned above, 
which allows the construction of protocol components without the user needing to be familiar 
with the modeling language. \ 



The protocol analyzer 44 allows for analysis of any protocol added to the protocol model 
core, or any set or combination of protocols. The protocol simulator 42 allows for the 
simulation of any protocol, or set or combination thereof added to the model core 40. 

A further parent object is the device interface object 48, which is a generic model of a device 
data interface A specific interface object appropriate to the system under test 50 and which is a 
descendant of the generic interface object, is preferably selected as described above. The model 
core, as mentioned, is preferably hardware independent. It is preferably data frame oriented, 
which means that any data pattern can be analyzed or generated as long as it is bit oriented. The 
specific interface object 48 permits easy interfacing with external hardware. The generic 
interface object 48 preferably comprises several interface functions that hide hardware 
dependent parameters. 

A plurality of interfaces may be used at the same time so that more than one data channel or 
de% ice may be tested simultaneously. Preferably, the device is configurable so that logical 
connections are provided between different channels. Thus, the data connected over numerous 
different channels can be analyzed as a single logical unit. Likewise, in simulation, several 
devices or data channels may be simulated simultaneously and logical connections may be 
configured between them. 

A series of logical connections may be configured and particular series of data may be tested 
to produce logical scenarios. This may be done as part of testing or as part of a simulation or as 
a combination of the two. * 

If testing of communications equipment is being carried out then the interface is used to 
obtain data from the equipment. It can also return data to the equipment, as part of a simulation 
and thus serve as a link in an operational connection. The interface may be a single channel or 
it may be multi-channel, allowing the testing of combined systems or testing of combined 
systems simultaneously. 

If simulation is being carried out then the data interface may be dispensed with, and an 
embodiment built solely for simulation need not comprise a data interface. 

Reference is now made to Fig. 4, which is a generalized diagram showing in more detail the 
virtual protocol model core of Fig. 3. As mentioned above, the virtual protocol model is a 
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non-specific protocol analyzer. It analyzes collected data according to a predefined protocol, 
that is to say one of the protocols referred to above. The model is based on the OSI's layered 
model and supports among other the following main features: 
Multi-layer analysis, 

Any field, any data format and any intelligent algorithm concerning data processing, and 
Multi channel analysis/data generation in parallel. 

A tree structure is an optimal structure for presentation of any protocol, algorithm or filter. In 
general, a predefined protocol is maintained as a tree object, that is to say a descendent of the 
generalized tree structure. Figure 4 is a generalized tree structure, designed for an embodiment 
of the present invention, in which the various nodes can be defined with properties of the 
protocol (nodes 60, 62 64 and 66) or they may lead to a whole new layer of nodes, (sub-node 
68). A second layer is shown explicitly but the only limit on the number of layers that may be 
included is the available memory. That is to say the number of layers is practically unlimited. 
The existence of one or more sub-layers, each of which can be constructed with any degree of 
complexity, gives the embodiments of the present invention the degree of flexibility necessary 
to apply testing to a wide variety of devices and protocols. 

Each node in the tree may indicate a field, a group of fields or a sub-protocol layer. A field 
is an abstract term that covers a data pattern, ranging from a single bit to an endless chain of 
bit-data. A branch in the tree represents a branch in the protocol. Such a branch may, for 
example, be represented by the command "separate two messages by a message type field". 
Numerous other functions and properties may be added to the tree to allow flexibility and 
automation of the data process/generation. 

Examples of the kind of properties that may be comprised in nodes within the tree are: 

Automatic check sum data fields, 

Variable length of data field according to dynamic conditions (dependent on other received 
data), 

Data masking and pattern comparison, 
Idle line timeout, and 
Data size trash hold. 

The virtual protocol model core permits the integration of externally provided data processes 
that have been generated by users in the way described above. The internal working of the 
externally provided processes are preferably totally hidden from the model core itself, and this 
is achieved by utilizing an external DLL (Dynamic Link Library). Any node in the virtual 
protocol tree can be assigned to such a DLL. This feature is important, for example if the user 
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wishes to safeguard protocols involving security applications and the like. The data processes 
referred to include both the protocols and the data interfaces. Both may be provided as external 
DLLs with their internal data processing being hidden from the core. 

Reference is now made to Fig. 5, which is a screen view of an exemplary protocol of the 
kind described in Fig. 4, as seen from within the protocol designer 46. Various nodes are 
shown which define the parts of a data packet for the well-known TCP/IP protocol. It features 
internal branching for a higher protocol layer, as well as TCP and UDP protocols which are 
encapsulated as sub-protocol nodes denoted as "TCP packets" and "UDP packets". 

In the aforementioned embodiments there is thus provided a testing device that is 
multi-protocol, multi-channel and multi-interface. 

Reference is now made to Fig. 6, which shows the first step in the process of designing an 
object for testing a proprietaiy protocol. As in Fig. 5, there is shown a screen view of a 
protocol as seen from within the protocol designer 46. The protocol requires a definition of the 
data fields of a data packet and a series of nodes define open flag, message format connect, 
message format disconnect, data and close flag data fields. The definitions preferably include a 
size and a format for data within the field. 

Reference is now made to Fig. 7, which is a screen view showing how the user interface 26 
permits selection of a prestored interface for the interface object 48, and to Fig. 8 which is a 
screen view of available protocols including that defined in Fig. 6. A 'channel configuration 
manager' window (not shown), appears or is invoked and the user is directed to create a new 
logical channel and then select the required physical interface and assign a protocol. The 
physical interface objects are all presented as icons on the screen and the user simply clicks on 
the desired icon. Then the protocol defined in Fig. 6 is selected from the list shown in Fig. 8, 
which is a selection screen showing all previously defined screens. 

Reference is now made to Fig. 9, which is a screen view showing the new logical channel, 
here labeled simply "my proprietary channel" configured with the protocol and physical 
interface previously selected. The process can be extended to add more channels and protocols, 
and thus to construct a comprehensive configuration for analyzing and simulating multi-channel 
systems to any desired degree of complexity. 

The model is now ready for analysis. The analysis object is preferably activated to execute 
real time data capture and analysis. Data bits from the external device are captured by the 
interface. From the interface they are forwarded to the protocol tree where they filter through, 
starting at the root node and branching to other nodes and protocol layers, as though the data 
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were being fed through a real device according to the protocol rules. The data as received is 
fitted into the data fields as defined in the protocol, ready for further analysis. 

Reference is now made to Fig. 10 which is a tree diagram showing a tree object based on the 
protocol shown in Fig. 6. In this example there is only a single protocol layer and a single 
branch Now assume the following data bytes are captured: 0x02, 0x03, 0x02, 0x01, 0x01, 0x03 
(0\ - indicates hexadecimal digit). Fig. 10 shows the data bytes fitted into the fields of the 
protocol as discussed with respect to Fig. 9. 

Reference is now made to Fig. 11, which shows the monitor output when the data bytes 
listed as above arrive and fit into the protocol tree as shown in Fig. 10. 

Reference is now made to Fig. 12, which is a screen view showing a capture filter for 
monitoring the results of the analysis of Fig. 11. It will be apparent that for large quantities of 
data, the monitor output as shown in Fig. 11 could be difficult to interpret. There is thus 
provided a capture filter which can be set to look out for certain key features of the incoming 
data that it is desired to study. In the screen view the only messages that are studied are those 
wherein the fields "message format: disconnect" and "length of field" contain 0x2 values. All 
else is ignored. 

If, instead of analyzing a particular device it is desired instead to test the operation of a 
particular protocol then the procedure is the same as described above except that the simulation 
object is entered before beginning the test. In the testing object, data is obtained from the 
interface, however, in the simulation object, data is produced, either at random or in a 
predetermined manner. The remainder of the operation is identical. 

In an embodiment, automatic association may be made between a given device interface and 
one of said plurality of protocols. In a further embodiment, external test devices may be 
integrated into the system using a suitably designed interface. 

It is appreciated that various features of the invention which are, for clarity, described in the 
contexts of separate embodiments may also be provided in combination in a single 
embodiment. Conversely, various features of the invention which are, for brevity, described in 
the context of a single embodiment may also be provided separately or in any suitable 
subcombination. 

It will be appreciated by persons skilled in the art that the present invention is not limited to 
what has been particularly shown and described hereinabove. Rather, the scope of the present 
invention includes both combinations and subcombinations of the various features described 
hereinabove as well as variations and modifications thereof which would occur to persons 
skilled in the art upon reading the foregoing description and which are not in the prior art. 
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Claims 

1. A digital testing device comprising: 

at least one data interface for interfacing to at least one device to be tested, 
a plurality of predetermined protocols, 

a protocol selector for selecting any combination of said protocols to operate on digital data 
obtained via said interface, and 

an output for outputting results of applying said digital data to said selected protocols. 

2. A digital testing device comprising: 
at least one data interface, 

a user interface, 

a protocol constructor operable to accept data from said user interface and to construct a 
protocol in accordance therewith, said protocol being able to operate on digital data obtained 
from said interface, and 

an output for outputting results of applying said digital data to said selected protocols. 

3. A digital testing device comprising: 
at least one data interface, 

a plurality of predetermined protocols, 
a user interface, 

a protocol constructor operable to accept data from said user interface and to construct an 
additional protocol in accordance therewith, said protocol being able to operate on digital data 
obtained via said interface, 

a protocol selector for selecting any combination of said protocols to operate on said digital 
data and 

an output for outputting results of applying said digital data to said selected protocols. 

4. A digital simulation device comprising: 
a plurality of predetermined protocols, 
a user interface, 

a protocol constructor operable to accept data from said user interface and to construct an 
additional protocol in accordance therewith, said protocol being able to operate on digital data 
obtained via said interface, 
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a protocol selector for selecting any combination of said protocols to operate on said digital 

data and 

an output for outputting results of applying said digital data to said selected protocols. 

5. A device according to claim 4, further comprising a script constructor for preparing 
scenarios for simulation. 

6. A device according to either of claims 4 and 5, comprising further inputs to collect data from 
the simulation for testing. 

7. A device according to any preceding claim, wherein said digital data is the output of all or 
part of a communications device. 

8. A device according to any preceding claim, comprised within a computer. 

9. A device according to any preceding claim, wherein said output comprises a configurable 
data filter. 

10. A device according to any of claims 1 to 3 and 7 to 9, wherein said data interface 
comprises a selectable one of a plurality of specific interfaces. 

11. A device according to either of claim 9 and claim 10, wherein said specific interfaces 
are designed for specific digital equipment and are operable to hide characteristics of the 
equipment from the device. 

12. A device according to either of claims 10 and 11, further comprising an interface 
constructor operable through a user interface to construct a specific interface. 

13. A device according to any preceding claim, operable with any digital data. 

14. A device according to any preceding claim, wherein said protocols are operable to 
synthesize the operation of various electronic apparatus. 
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15. A device according to any preceding claim, wherein said protocols are templates for 
fitting said data into a data field structure of a communication protocol. 



16. A device according to any preceding claim wherein said protocols are descendant objects 
of a protocol-independent parent object. 

17. A device according to claim 16, wherein said protocol-independent parent object 
comprises a tree structure. 

18. A device according to either of claim 16 and claim 17, wherein said protocol-independent 
parent object is operable to support processing of data according to any predefined protocol 
which is a descendant object thereof. 

19. A device according to claim 16 or claim 18, wherein said protocol-independent parent 
object is operable to support any one of a group comprising smart filtering, triggering and 
simulation operations. 

20. A device according to any one of claims 3 to 19, wherein said protocol constructor 
comprises a bank of predefined protocol substeps represented by visual items in the user 
interface, individually selectable by a user through said user interface to build a protocol. 

21. A device according to either of claim 9 and claim 10, wherein said device interfaces are 
represented by visual items in the user interface, individually selectable by a user through said 
user interface. 

22. A device according to "any of claims 9, 10, and 21, comprising a plurality of additional 
device interfaces, allowing a plurality of devices to be tested simultaneously. 

23. A device according to claim 22, wherein the number of additional device interfaces is 
limited only by constraints of available device memory. 

24. A device according to any preceding claim, further having a storage unit for storing data 
for later analysis. 
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25. A device according to claim 22, wherein logical connections between different ones of 
said plurality of devices to be tested are viewable within said device. 



26. A device according to claim 4, wherein a plurality of different simulations are operable to 
be run simultaneously and wherein said device is configurable to show logical connections 
between said simulations. 

27. A device according to any preceding claims wherein a plurality of channels may have 
logical connections made therebetween and wherein a logical scenario is testable over said 
logical connections. 

28. A device according to any preceding claims wherein a plurality of channels may have 
logical connections made therebetween and wherein a logical scenario is simulatable over said 
logical connections. 

29. A device according to claim 22, wherein automatic association is made between a given 
device interface and one of said plurality of protocols. 

30. A digital testing device substantially as hereinbefore described with reference to the 
accompanying drawings. 
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• 


File name: 


protocol_artalyze.h • 




• 
« 


Purpose: 


CoMPA's virtual protocol an lysis core * 
* 




* 


Author: 


Comlog. * 




* 


Version: 


1.0 AUC22.19*>9 





(C) Copyrights Comlog.LTD • 



// 

flifodef protocoi_analyzeH 
* define protocol _analyzeH 

^include "protocol ___defs.h* 

class TOiannelProtocoLAnalyzer 

private: 

TREE Layer tpProtocol; // Lowest layer protocol tree 
TimeOut; // Time out for frame ^syn c hr oni zation (in micro seconds) 

9 FrameBuf; // captured data bytes butter Tor frame. 
MaxFraraeSize; // Maximum size of frame 

StartFrameTime; // Mamtian start of frame timetag while recover rig frame 
FrameSize; // accumulated frame size. 

FrameAnalyzedPos; // Total analyzed size from accumulated frame size 
DeeodeFuncIndex; // Index in decoded data when using decoding functions. 
DecodeFuncState; // Last decoding function state. 

NODE Layer ipNode; // Last node or NULL for none (for layer I Protocol only). 

Layer lGroupRecurs; // Flag indicates whether inside a group recursive or not (Cor layer I Protocol only). 
Layer 1 GroupMuh; // Group multiplies counter (for Lowest Protocol only). 

TOnSaveFrame SaveFrameFunc; // NULL or pointer to "save frame function" 
TOnDi splay DisplayFunc; // NULL or pointer to "Display node function" 
TPassFHterFunc PassFilterFunc; // NULL or pointer to "Filter pass check function" 

BYTE LogicalNumben // Logical Channel Number 

BYTE NoProtocolBufTer(DEFAULT_BUF_S!ZE1; // Default Buffer for "no protect" situation 

void _fastcall StartNewFrame ( UINT64 TimeTag ); 

void _fastcail AddFrame ( WORD ErrorTag, UINT64 TimeTag ); 

void _fastcall AnalyzeLayer ( PTJ>ROTO_TREE pProtocol, BYTE *pData. DWORD DataSize, BYTE Layer ); 
WORD _fastcall AnalyzeNode ( PT_PROTO NODE pNode, BYTE *pData, DWORD •pDataiiidex, DWORD Data Size, 
BYTE Curr Layer ); 

WORD _rastcail AnalyzeGroup < PTJ>ROTO NODE pNode, BYTE •pData, DWORD •pDataindex. DWORD DataSize, 
BYTE CurrLayer ); 

PT_PROTO_NODE _fastcall MatchField ( PT_PROTO_NODE pNode t DWORD Multiples ); 
bool _fastcall MatchBita ( PT_PROTO_FIELD pFieM, PT BITS pBits, PT SYNCJVALUE pSyncVal ); 
WORD __fastcall DccodeField ( PT_PROTO NODE pNode, BYTE •pDataT DWORD •pDatalndex, DWORD DataStze 
DWORD •pMultiples ); 

bool _fastcall MatchMuItField ( PT_PROTO_FIELD pField. DWORD Multiples, PT SYNC VALUE pSyncVal ) 
bc«l_fastcallM8tchSmg!eFidd(PT_PROTO_nELDpField;rT SYNC VALUE pSyrtcVa£ BYTE "pOutData ) 
bool _fastcall DecodeAndCoovertMultField ( PT PROTO FIELD pFieldTDWORD Multiples. BYTE *plnData );" 
^ 0,d _rastcall DecodeAndConvertSmglcFidd ( PT_PROTO_FIELD pField, BYTE *plnD«ta, BYTE •pOutData ) 
void _fastcall ChcckNodeConditions ( PT_PROTO NODE pNode, DWORD Multiples ); 
void _fastcaJI ChecVProtocoIConditions ( PT PROTO JTREE pPrfltocol ); 
DWORD _fastcall NodeValueAsDWORD ( FT_PROTO_NODE pNode ); 

public: 

// constructor 

TChannelProtocolAnalyzer ( void ); 

// Called upon initializing channel and binding it with * protocol 
void _fastcall Assign ( PT_PROTO_TREE .Layer tpProtocol, 



PT PROTO 
UFNT64. 
BYTE 
DWORD 

UINT64 

DWORD 

DWORD 

DWORD 

BYTE 

PT PROTO 
BOOLEAN " 
DWORD 
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* Filename: protocol _ana I yze.cpp * 

* Purpose: CoMPA^ virtual protocol anlyais core * 

* Author: Comlog. • 

* Version: 1.0 AUG^2,I999 • 



• (C) Copyrights Comlog.LTD * 

•••••••••••••••••••••••••••••••••••••••••••••••/ 

n 

« include "protocol_analyTe.h M 

extern DWORD _lotalFrarnesRecerved; 

/ •••• / 

/ PUBLIC •*•••/ 

/ * • / 

/•••• v* •••••••••*••••••••••••••••••••••••••••••••••••••••• 

• NAME: TChannelProtocolAnalyzer :TQiannelProtocol Analyzer 

• DESCRIPTION: Conatmctor. 

• RETURN VALUE: None. 

• NOTES: None. 
« 

••• • ••••••••••••••••••••••• ••.•••••••...••./ 

TCrmnjielProtocolAnaiyrer::TChaniieQ^otocolAnaJyreit void ) 
( 

Layer I p Protocol = NULL; 

SaveFrameFune - NULL; 

DtsplayFunc = NULL; 

PassFUterFunc - NULL; 

TimeOut - 0; // No timeout I 

FrameBuf - NoProtocolBuffer; 

MaxFrameSize - si zeof(NoProtocol Buffer); 

StartFrameTime = 0; 

FrameSize - 0; 

FrameAnalyzedPos » 0; 

DecodeFunc Index - 0; 

DecodeFuncState - DEC_J>TATE_BEGI N ; 

Layer J Group Recurs = FALSE; 

Layer 1 Group Mult - 0; 

Layer IpNode -NULL; 

Logical Number - 0; 

) 



* NAME: TOiarmelProtocolAnaJyrer: : Assign 

* DESCRIPTION: Assign a protocol for using in this channel. 

Also assign the interface' functions for filtering 

* and display. 

♦ RETURN VALUE: None. 

• NOTES: If DisplayFunc is NULL (No Display fanctwrtality at all) 

• If MatchFunc is NULL (No fiHers/triggers hmcboojiity 
at all) 

* 

••••••••••••• • •••••••••••• 

void _fastcaJl TCharmel Protocol Analyzer:: Assign ( PT.PROTCTTREE ^Layer I p Protocol, 
TOnSaveFrame SaveFrameFune, 
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TOnDisplay _DisplayFunc, 
T^assFilterFuhc PaasFilterFunc, 
BYTE LogicaJHtimbcr ) 

( 

Layer IpProtoccH = ^LaycrlpProtocol; 
SaveFrameFunc « _SaveFrameFtmc; 
DisplayFunc - ^DisplayFunc; 
PassFilterFunc « _PassFilterFunc; 
Logical Number «* ^Logical Number; 

ir( l,ayerlpProtocol »- NULL ) 
( 

TimeOut « LayerlpProtocol->TimeOut; 
FrameBuf - Layer I pProtocol-> FrameBuf; 
MaxFrameStze - Layer I pPir*ocol->MaxFrameSizc; 

} 

else 
i 

TimeOul " 0; 

FrameBuf . - No Protocol BulTer; 

MaxFrameSizc - sizeoANoProtccoIBuJTcr); 

) 

) 



• NAMt: I Channel ProtocolAoaiyzer: : Prepare 

• DESCRIPTION Prepares channel for capture - reset «U Static parameters. 

• RETURN VALUE: None. 

• NOTES: None 



void rastcall TCftanne I Protocol Analyzer:: Prepare ( UTNT64 TrrrteTag ) 

I 

StartNcw Frame ( TimeTag ); 

) 



• NAME: TChannel Protoco (Analyzer. :OnJ r inish 

• DESCRIPTION: Called upon capture finish. Saves remain frame's bytes. 

• RETURN VALUE: None. 

• NOTES: None. 



v oid fasicaJl TCbarmelProtocol Analyzer: :OnFmish ( void ) 

I 

if ( FraraeSize > 0 ) 
< 

II Just add remajn bytes as garbage (FRAME_ERR_NOT_FINISHED): 
FrameAnaJyzedPos = FrameSize; 

AddFrame< FRAME_ERR_NOT_FINlSHED. Startf rameTime ); 

I 



NAME TChannelProtocoLAnaJyzerrrOnPacket 

DESCRIPTION: Proccesa captured packet of bytes. This routine is the 
analysis entry point 
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• Packet - Captured "chunk of bytes" (non synchronized). 

• PacketSize - Length of packet 

TimeTag - Interface/Driver Capture 64bit micro resolution 

• Time Tag. 
♦ 

• RETURN VALUE: None. 

• I 

• NOTES: Called by Driver/ Interface DLL high priority Thread. 

• Buffering Concept 



There are three buffering stages in data analysis: 

1 . Actual Bytes/Packet received - these bytes must be 
handled as quick Uy as possible and returned back to 
driver for reuse. 

2. Frame buffer - Accumulating data storage for completing 
synchronized data frame. 

3. Decoded Data - Decoded data bytes after process. These are 
maintained per each node< field) in the protocol Tree. 

void fastcall TCharmelProtocol Analyzer: :OnPacket ( BYTE * Packet, 

DWORD PacketSize, 
WORD PacketErr, 
UINT64 TimcTag ) 

\ 

DWORD Packetlndex - 0; // Position in packet. 

WORD LastErr; // Last error returned from analysis function 

bool AnotberLoop * FALSE; // Set to TRUE if need extra aniysts loop 



/ / 

/• Check for timeout ( Cheek only if frame has airedy started ): ♦/ 

/. •/ 

/• If TimeOut >« 0: whole frame must be completed in an interval that is •/ 

/• less then TimeOut ! •/ 

/• If TimeOut • 0: whole frame must be received in single packet •/ 



if ( FraraeSize ) 
< 

II Notice: ff TimeOut =» 0 then even two successive packets with the t 
II same time tag (Delta time - 0 ) are considered timeout 
if ( TimeTag >- ( StartFrameTime + TimeOut ) ) 
\ 

AddFrame< FRAME_ERR_TIME_OUT, TimeTag ); // Error - Add ail accumulated bytes (not including currently received) 
with timeout tag 
> 

// else: Ok, valid state ( in the middle of a frame ). 

) 

else 

StarCNew Frame ( TimeTag ); 

// Keep going till whole packet* bytes p rocccssed: 
while ( ( Packetlndex < PacketSize ) ||( AnotberLoop ) ) 
K 

Another Loop = FALSE; 

/ •••••••• 

/• Enough space left in frame buffer ? */ 

/•••• • * ••••/ 

if ( (MaxFraraeSize - FrameSize) >- (PacketSize - Packetlndex) ) 
I 

II Add remained packet bytes to frame: 
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memcpy( &FrameBuf\FrameSizel, £ Packet ( Packetlndex |, (PacketSize - Packetlndex) ); 
FrameSize +■» (PackctSize - Packetlnbex); 
Packetlndex - PacketSizc; 

) 

else 

// Add maximum amount of bytes to fill frame' buffer: 

memcpyf AFfameBunFrameSizel, APackctlPacketlodexl, (MaxFrameSize - FrameSizc) ); 
Packetlndex +°» (MaxFrameSize - FrameSizc); 
FrameSize - MaxFrameSize; 

) 

if ( PacketErr ) ft Packet Error ??? 

Frame Analyzed? os - FrameSize; ft Act as if analyzed... 
AddFrame( PacketErr. TimeTag >; // Add frame and prepare for next 

} 

else 
I 

if ( Layer IpProtocol !■ NULL ) 

LastErr - AnalyzeNode ( Layer IpNode, FrajncBufr AFrameBuflFrame AnalyzedPoslV. A Frame Analyzed Pos. 
FrameSize, FIRST_LAYER ); 
elee 

FrameAnalyzedPos - FrameSize; // Act as if analyzed... 
LastErr - 0; // No Error ! 

) 



switch ( LastErr ) 

1 / 

/• Ok message complete and FrameAnalyzedPos - FrameSize V 

case 0 : if ( TimeOut — 0 ) // No timeout 
FrameAnalyzedPos m FrameSize; 
AddFrame< 0, TimeTag ); // Add frame and prepare for next 
break; 

/»•* * *♦•♦/ 

more nodes to analyze • required more bytes. */ 
y* 2. Search pattern not found required more bytes. */ 
/* 3 .In the middle ol decoding function. •/ 

/• / 

case ANLZ_ERR_NODES_BUT_NOT ENOUGH_DATA: 
case A NLZERRNOT ENOUOH_DATA T1LL_END: 
case A NLZ ERR PATTERN NOT FOUND: 
case ANLZ_ERR_DFUNC - NOT_FTN!SHED: 

if ( FrameSize < MaxFrameSize ) // Fragmented message, wait for more data... 

I 

if ( TimeOut 0 ) // No timeout 
\ 

FrameAnalyzedPos » FrameSize; 

AddFrame( 0 , TimeTag ); // Add frame end prepare for next 

} 

break; 

) 

ft Else, FrameSize - MaxFrameSize but still not enough data: 

AddFrsme{ FRAME_ERR TOO BIO, TimeTag ); // Add frame and prepare for next 

break; 

/••••••••• •••#••••♦♦•••••••«••••••.•.••••♦••••.••••••••••♦•••/ 

/• Message comp lete, (yet still more bytes in frame buffer) V 

/•••• • •••••/ 

case ANLZ_ERR_DATA_BTJT_NO_MORE_NODES: 

if ( TimeOut = 0 ) // No timeout so also add remain bytes 

FrameAnalyzedPos - FrameSize; 
AddFrame< 0, TimeTag ); // Add frame and prepare for next 
if ( FrameAnalyzedPos < FrameSize ) // If fragmented message, wait for more data... 
Another Loop - TRUE; // repeat another loop • Still bytes in frame buffer 



.0128060A1 J_> 



SUBSTITUTE SHEET (RULE 26) 



WO 01/28060 



PCT/IL00/00639 



/••••••••••••■■« " """" — - ' 

/* 1 Matching found could not be found ! •/ 

/• 2 Could not complete analysis since decoding buf was too small.*/ 

/• 3 Decoding function returned error (out of s^nchronizauon). ♦/ ## 

case ANLZ ERR_NO MATCH FOUND: 

case ANLZlERR_DECODE_BUF_TOO_SMALL: 

case ANLZ_ERR DFUNC_OUT_OF_SYNC: 

if ( TimeOut — 0 ) 7/ Ho timeout so also add remain bytes (Let re-anlysis detect errors) 
( 

FrameAnalyzedPos - FrameSize; 

AddFrame< 0. TimeTag ); // Add frame and prepare for next 

> 

else 

AddFramet FRAME ERR_OUT_OF_SYNC. TimeTag ); // Add frame and prepare for next 
if { FrameAnalyzedPos~< FrameSize ) //Tf fragmented message, wait for more data... 

Another Loop - TRUE; // repeat another loop - atill bytes in frame buffer 
break;. 

/* Invalid Frame Check Sequece Returned from decoding (unction. •/ 

/ * * ••••••••••••••••••••••••••••••••••••••••••/ 

case ANLZ_ERR_DFUNC_INVALID_FCS: 

ir ( TimeOut — 0 ) // No timeout so also add remain bytes 

FrameAnalyzedPos - FrameSize; 
AddFrame< FRAM E_ERR_J N V ALI D_FCS ? TimeTag ): // Add frame and prepare for next 
if ( FrameAnalyzedPos < FrameSize ) // If fragmented message, wait for more data... 

Another Loop =» TRUE; // repeat another loop * still bytes in frame bulTer 
break; 

/• Unexpected H! V 

default: AddFrame< FRAME ERR_UNEXP ECTED, TimeTag ); // Add frame and prepare for next 

) 

) 

I 

) 

/ •••••••••••••••••••••••••••••*•••••••••••••••♦•*•*•*•••••♦•••••••••• 

• NAME: TChanne1Pr«oco!Analyzer.:ReAnaiyzeFrtme 



DESCRIPTION: Proecess an already captured frame for monitoring 
purpose. 

Frame - Frame bytes buffer. 
FrameSize - Frame buffer size. 

_DispleyFunc - Cad back for node/group display function. 
RETURN VALUE: None. 

NOTES : Called by monitor for analyzing non-error frames. 



void rastcall TLharme! Protocol Analyzer:: Re AnalyzeFrame ( BYTE *pFrame, 

DWORD FrameSize, 
TOnDisplay Display Func, 
TPassFitterFune _PassFUterFunc ) 

I 

StartNewFrame ( 0 ); // Reset all channel's static vftriabels 

DtsplayFune » _DisplayFunc; 
PassFilterFunc = _PassFiUerFunc; 

if ( Layer IpProtocol != NULL ) 

// Returned with error ? 
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if ( An.ly«Nodc ( Uyer tpNode, pF«me . AF«meA«..tyze«iP«. FfmeSize. FIRST_LAYER ) - 
ANtZ_ERR_DATA_BUT_NO_MORH_NODfcS ) 

' ^ T ^tW^FnuncAn^^ Framed - FrameAnalyzedPos, 0. 
ANLZ ERRJDATA_BUT_NO_MORE_NODES); 

r 

/ — ' 

/ PRIVATE •••••/ ^ 

/••••••••••• ••••••••••••••••*•*•••*•••** • 

« 

• NAME: TChannclProtocolAnalyzertStartNewFramc 

• DESCRIPTION: Reset all required parameters for starling anlysis of 

• new frame ( applied on layer I protocol only). 
• 

• RETURN VALUE: None. 

• NOTES: None. 

# i «.«♦♦♦•♦•*♦♦♦*♦•.*•*•*♦♦*♦♦♦••*••••••/ 

vVid^VwtcaJl TChaxinelProtocolAiwlyxer::SurtNe^Frame ( UINT64 TimeTag ) 



StaitFrameTime -TimeTag; // Set lime ( Starting new frame ) 
FrameSize -0; //No bytes yet 

FrameAnaiyredPos -0; // 1^ byt« yet 

DecodeFunclndex -0; //Nothing decoded yet 

DccodeFuncState - DEC STATE_BEGIN; // Initial state 
Layer lGroupRectira - FALSE; // Not inside a group recursive 

Layer IGroupMult - 0; // No multiples of group 

/•NumOfFrameNodes - 0; 

far( i - 0; i < MAX CONDITIONS jTrTES J>ER_NODE; i++ , 
NumOfCondiuonsti] - 0;*/ 

if( LayerlpProtocol !» NULL ) 

Layer lpNode ° UyerlpProtocol->pRootNode; 

) 



♦ NAME: AddFrame 

* DESCRIPTION: Add frame with/Without error tag. 
• 

* ErrorTag - Frame Error Value or 0 for no error. 

• TimeTag - New Time tag for next frame. 
• 

• RETURN VALUE: None. 

• NOTES: None. 

• • / 

void .Jasteall TChannelProtocolAnalyTer::AddFrame ( WORD ErrorTag, UINT64 TimeTag ) 
t 

DWORD Tmp; 
if( ErrorTag) 

{ if ( ( ErrorTag — FRAME ERR_TOO_BIG ) fl 
( ErrorTag — FRAMEJERR^TIME_0UT ) ||. 
( ErrorTag — FRAME_ERR_UN EXPECTED ) ) 

' FramcAnalyzedPos - FramcStie; // Act as if bytes whew analywd I 
\ 
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' , --eive counter (for monitoring purpose) 

_Tc*elFramesReeeived~; // tacrcese exernrf receive counter 

if ( Sav.FramcF^c - NULL ) // Add to memory/file... 
ir( %Sr«F«nc 1- NULL ) ,1 

Slar&ewFrarae ( TimeTag ); 



FrameSize ■ Tmp; 

else . _ ^ 

SiartNew Frame ( TimeTag J f 



* NAME: Anaty«Layer 

I DESCRffTlON: An.ly.i- of higher proUxol tayer (higher tayer then the 
previous) 

• pProtocol - new protocol layer, nrotoco. layer 
pData- Decoded data passed ^^^l^Zx layer. 
DataSize- Decoded data size M ****** ^ 
Layer* Previous protocol layer Number. 

• RETURN VALUE: Norte. 

t NOTES: This routine may ^.ed^v.y 6cm ArulyxeNode. 

• . U must not be used on first tayer I 

Notice that previous (tower) lay* « 

this leyer, hence this function returns nothing. 

V V^VuVVroVoT^eV^'bYTE -PD.U. DWORD DeuSixe, 

void _Jestc.u TChannelPtotocolAn.lyxer::Anriy«Uy«r < PT_PROTU_ 
BYTE Leyer ) 

1 OWOR DO««aIndex-0;//5t art «gnew.«yer. W poWtolWpo» rt ion 

Layer++; // Increase layer number. 

if ( p Protocol->pRootNode — NULL ) 
return; 



// Check filter/tngger conditions..^ 
if ( p Wotoco1->pFu3iHookedCor^^ ) 
CheckProtocolCondittons ( p Protocol ); 

Recursive analysis in protocol tree... •/ 
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aAu ^.e^data V.no.more .NODES ) 

ANLZ^EFA J)ATA^BUT_NO„MORE.NODES ); 
) 

/ * * •••••• ^ 

/• This layer is complete: 0f 

M.T C T^c7c» for an 8 lysi, o^c «^ P «vi<x a layer •/ 
/• Reset decoding function jC J» 
^eV^»*e-DEC_STATE_BEOIN; 
DecodeFunclndex " 0; 

) 



• NAME TCharutelPrctocolAnBiyzer:Aiialy«Node 

• DESCRIPTION Analysis «nd match for a specific node. 

pNode - pointer of next node to be analyzed. 
oUata - Received data" bytes buffer. 

pLalndex - In: current index in ^vedW^b^er 

Out: after analysis index m Recetved daU bytes ouner. 
DataSize- Received data 1 bytes buffer sire. LAYERS 
CurrLayer - Current Protocol layer number l..MAX.NUM„ur.LA 

• RETURN VALUE: 0 or analysis' error number. 

* NOTES: This routine is called recursivly. 

PROTO NODE pNode, BYTE *pData. DWORD •pDatalndex, 
WORD _fastcall TCbanndProtocotAnalyzer-.:AnalyzeNode ( PT.PRO u.^ 
DWORD DataSize, BYTE CurrLayer ) 

1 WORDLast&r; // Error Result from DecodeF.eld function 

/ •' 

/• Check: t$ called from a leaf 7 •/ 



'if 1 pNode = NULL ) // ir called from a leaf : 
1 if ( •pDatalndex < DataSize ) // Still bytes to analyze: 

S , ( ANLZ_ERR_DATA_BUT_NO_MORE_NODES ); 



// Else: ( •pDatalndex — DataSize ) 
return ( 0 ); // Ok. no more nodes to analyze. 



1 



/• Check: Is this node a Field ? •/ 

ir ( pNode->pFiel<J !- NULL ) 
I 
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PT_PROTO_FlELD pField; 
pFktd - pNode->pFteld; 

, • •••••••••••••••••••/ 

r Decoding dau and checking for error. */ 

f ••• •••••••••••••••♦*••••/ 

rVrvDvteJndex - *p Data Index; 

L*st£rr - OecodcField ( pNode, pData, pDatalndex, DataSize. A: Multiples ); 
if < LavtErr) 

// If dau rs not fragmented allow situation where still node to analyze but 
// so more data: 

if C ( ( LastErr — ANLZ_ERR_NODES_BUT_NOT_ENOUGH_DATA ) && 
( •pDatakidex «-=• DataSize ) ) &A 
f ( CurrLayer I* FIRST LAYER ) \\ ( TimeOut — 0 ) ) ) 
renn ( 0 ); // Ok, pherheps not all nodes anlayzed, yet, no more data ! 

// Call Display with error... 
•f ( DrtptevFooc NULL ) 

C>*p4»>F «*»c < CurT Layer, pNode, &pData|PrevDatalndex), DataSize - PrevDatalndex, 0. LastErr ); 

rcftana ( LastErr >. 

I 

f * •••••••«•••••/ 

r+ Try to match one of Ihe sibling nodes •/ 

oHooc - MetcJiFieJd ( p'Node, Multiples ); 

if (pNods — NULL) //If no match: 

' if ( < Cart Layar — FIRST_LAYER ) *L& ( TimeOut I- 0 ) ) // Maintain Node pointer (requires if data is fragmented) 
Layer I pNode - NULL;" 

// Call Display with error - no match ! 
if ( Dtiplry F unc 1= NULL ) 

DtsplayFane ( CurrLayer, pNode, &p Dala(Prev DatAlndex ] , DataSize - PrevDatalndex, 0, 
ANLZ jERR _NO_MATCH_FOUND ); 

rettamC ANLZ ERR NO MATCH_FOUND ); 

I 

// Ok match: check trigger/filter.,, 
if ( pNode >pFiriitHookedCoodition I- NULL ) 
CheckNodeConditions ( pNode t Multiples ); 

H Ok. Call Display... 

if ( DrspleyFune NULL ) 

DtspleyFunc ( CurrLayer, pNode, ApDatafProv Data Index], # p Data Index - PrevDatalndex. Multiples, 0 ); 

r * • ••••••••••••«••••••♦•••/ 

/• Process higher protocol layer if suck V 
/ 

if ( ( pNode->pHigberProto I- NULL ) Aft ( Multiples > 0 ) ) 
AnaJyzeLayer ( pNode->pHigherProto , pField->DecodedBuf, Multiples* (pField->Type). CurrLayer ); 

/• Recursive caU to child code (if such): ♦/ 

/ • •••eaaaaeeaaaeeaaaeeeeaeaeae.aa/ 

if ( ( pNode->pCbild — NULL ) &A ( 0Ncde->pOwnerOfoupNode f- NULL ) ) // Last was a leaf of a group: 
I 

// Check if First protocol layer and currently inside a recursive initiated from the group: 
if ( ( CurrLayer — FIRST LAYER ) AA ( TimeOut I- 0 ) ) 

. I 

LayeT I GroupMult++; 

if ( Layer 1 Group Recurs ) // Called recursi vly from a group: 
I 
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Layer IpNode « pNodopOwticrGroupNodc; //Maintain Node pointer (requires if is fragmented) 
return ( 0 ); // Ok. 

else // Not catted recursively, hence need to continue as if next node is the 

return ( AnalyzcGroup ( P N<xie->pOwnerGroupN<xle, pData, pDatalndex, DataSize. CurrUayer ) ). 

) 

relm? ( 0 ); // Ok, Not the first layer (so defenetlry called recursively from a group) 

} 

// Else, Child exist (or no child but not part of group): 

return ( Analyze Node ( pNodc->p Child, pData, p Data Index, DataSize, CurrLayer ) L 

) • ' 

/• Check: Is this node a Group ? •/ 
else 

if ( pNode->pGroup !-» NULL) „. ■ . 

return ( AnalyzeGroup ( pNode, pData, pDatalndex, DataSize. CurrLay er ) ), 

// Else ( for debug check): 

DEBUG ERR ( " Neither Field Nor Group ! "); 

return ( ANLZ ERR_UN EXPECTED ); 

) 

/ ••••••••••••• ••♦•♦••♦••••••••••••#•**••♦•*••••••*• * 

• NAME: TCbannelProtocolAnalyzer: lAnalyzeGroup 

• DESCRIPTION: Analysis of a group on first layer only. 
* 

• pNode - pointer of next node to be analyzed, 

• pData - Received data* bytes buffer. 

• 1 pDatalndex - In: current index in Received data* bytes buffer. 

Out: after analysis index in Received data' bytes buffer. 
DataSize- Received data' bytes buffer size. 

CurrLayer - Current Protocol layer number i..MAXJ*UM_OF_LAYERS 

• 

• RETURN VALUE: 0 or analysis' error mimber. 

• NOTES: This may be called recursivly ( but not if Cu rrLaye r - I ) 

• This function should be invoked only if node is I group 1 
• 

••*,*»•.»«*♦«•**««**»««««.•••*•»«»*••*«»*••«**•• 

WORD _fastcail TChaimel^ctocolAjialyzer::Ai^ < PT_PROTO_NODE pNode, BYTE •pData, DWORD •pDatalndex, 

DWORD DataSize, BYTE CurrLayer ) 

{ 

PT PROTO GROUP rXhoup; 
WORD LastErr - 0; 

DWORD Multiples; // Multiples of group 

if ( ( CurrLayer — FIRST LAYER ) &A ( TimeOut I- 0 ) ) // Need to maintain some variables (solve receive fragmentation) 
I ' " . . 

Layer lp Node - pNode; // Mark last node for frame fragmentation 

if ( pNode->pOvmerGroupNode I- NULL ) U (Debug checks) 

DEBUG_ERR ( "Group Inside Group ti not allowed in first layer when timeout is not 0 I"); 
return (ANLZ ERR_UNEXPECTED); 

» ) 

p Group ■* pNode->p Group; 

/ •••••••••••••• ♦•♦•♦•••••/ 

/* Determine multiples of Group : */ 

/•• ••• ••••••/ 

switch( pOroup->Mult ) 
i 



n 
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case MF_NO_MULT: Multiples - 1 ; 
break' 

*ase MF_SPECIF1ED: Multiples - pGroup-^MuhPanOTjeter. . 

: MF.NOD^ Multiples - NodeValueA»DWORD ( pOroup->pMuUNode ) + pGroup->MultP«™me«er. 

: MF TILL END: DEBUG_ERR ( "Repeat tilt end in first layer and timeout is not 0 - not supported D; 
~ return ( ANLZ ERRJJN EXPECTED ); 
default DEBUG ERR ( "Unknown Group* Mult P); 

return ( A NLZ_ERR_UN EXPECTED ); 

) 

, - * ' 

/• Notice: In first protocol layer reception is fragmented, heene •/ 

/• this function may return without finishing group analysis. •/ %MWM > 

/••••• * •••••••••••••••••• • 



if ( Layer 1 GroupMult — 0 ) 

// Match by default (since entered group): 
// Calt trigger/filter... 

if ( pNode->pFirstHookedCondition !- NULL ) 
CheckNodeCortditions ( pNode, Multiples ); 

) 

Layer 1 Group Recurs - TRUE; // Steping into a group recursive 

i ............ * • / 

/• keep Analysis while I. Need more multiplies of group. V 

/• 2. No error. •/ 

/• 3. Still more data to analyze. •/ 

/ ••••••••••••••••••••••••*••••♦•••••••••••••••••/ 

while ( ( Layer 1 Group Mult < Multiples ) ScSt 
( LastErr — 0 ) && 
( *pDataIndcx < DataSize ) ) 

LmstErr - AnahyzeNode ( pGroup->pRootNode, pDtti, pDetalndex. DataSize, Curr Layer ); 

Layer 1 Group Recurs » F ALSE; // Out of a layer 1 group recursive 

it"( Layer I GroupMult — Multiples ) 
( 

Layer ! GroupMult - 0; // reset (since finished group multiples) 

// Go to child... 

return ( AnalyzeNode ( pNode->pChi1d, pData, p Data Index, DataSize, CurrLayer ) ); 

I 

return ( LastErr ); 

) 

else // Not the fust layer or 0 timeout: 
< 

inti -0; 

f p Group - pNode->pGroup; 

// Match by default (since entered group): 
// Call trigger/filter... 

if ( pNode->pF«tHoc*edCondition I- NULL ) 
CheckNodeConditioos ( pNode, Multiples ); 

,..••••....*«•••••»••«*•«»«••••••••, 

/• Determine multiples of Group : •/ 

/ * ••••••••«•••/ 

switchi pGroup->Muft ) 
( 

case MF_NO_MULT: Multiples - 1 ; 

i — ■- 

DTC8K, 

case MF_SPECIFIED: Multiples - pGroupo-MultPararneter; 
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group 



MF_NODE k; Multiple - NodeV.lueA*DWORD ( pGnwp^pMuJtNode ) + pGroup^MultPanmeter; 
break; 

case MF_T1LL_END: 

i - DataSize - ( ♦pDatalndex ) + pGroup->MullParamcler/*Nagauvc value*/; 
while ( i > 0 ) // Loop till reach end - delta 

( LastErr - AnalyzeNode ( pGrc*itv>pRootNode. pData, pDatalndex, DataSize. Curr Layer ); 
if(LastErr) 

( if ( LastErr != ANLZ_ERR_DATA_BUT_NO_MORE_NODES )// This is not an error - since need to repeat 
return ( LastErr ); 

i - DataSize - ( ♦pDatalndex) + pGroup.>MullParameter/ # Nagative value*/; 

) 

if (• i < 0 ) // Too many bytes analyzed I 

* // HHmmn Call Display with error - no more data but still left multiples I put as hex... 
return ( ANLZ ERR NODES BUT NOT ENOUGH_DATA ); 

} 

//Go to child... 

return ( AnalyzeNode ( pNode->pChild, pData, pDatalndex, DataSize, CurrLayer ) ); 



default : DEBUG_ERR ( "Unknown Group' Mull f); 

return ( A NLZ_ERR_UN EXPECTED ); 

) 

r • • ••••••••••••••••/ 

/• Handles: MF NO MULT, MF SPECIFIED. MF NODE : •/ 
/ 

while (, ( t < (mt) Multiples ) && 
( •pDatalndex < DataSize ) ) 

( 

LastErr = AnaiyzeNode ( pGroup->p Root Node, pData, pDatalndex, DataSize, CurrLayer ); 
if (LastErr) 

return ( LastErr ); 
else 

H+; 

} 

if ( t < (int)Multiples ) // Not enough bytes I 
{ 

' // WfWUSM Call Display with error - no more data but still left multiples I put as hex... 
^ return ( ANL2_ERR_NODES_BUI _NOT_ENOUGH_DATA ); 

// Go to child... 

^ return ( AnaiyzeNode ( pNode->pOuJd, pData, pDatalndex, DataSize. CurrLayer ) ); 



• NAME: TChannelProtocolAnalyzerrMatchField 

• DESCRIPTION: Trys to match field's decoded data in one of the sibling 

nodes (including this node). 

pNode - pointer to first node (in sibling list). 
Multiples - Multiples of decoded field. 
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/ •••••••••••••••••••••••••••••••••••••••/ 

/• For each multiples type: */ 
/• V 

/* 1 Check if enough data to complete field if not •/ 
/• return error. •/ 
/• 2. Decode/convert recived data. V 
/• 3.incrtaraent Datalndex to next field. */ 
/••••••••••••••••• 

case MF NO MULT: if ( pNode->pBits H NULL ) // Bits partitioning ? 

f 

/ ••••••••*••••••••••••••/ 

/* Check for bits partition ( allowed •/ 
/• only if MF_NO_MULT > •/ 
/• Perfrom decoding only if: •/ 
/* First node in bits partitioning V 

i 

♦pMultiples- I; 

. if ( pNode->0Bits->pFiret — NULL ) // Is first ? 
{ 

if ( (DWORD)DataSize - Datalndex >- ( DWORD jType ) // enough bytes ? 

DecodeAndConvertSingleField( pFMd, &pD»t*|Dau!ndexj. pField->DecodedBuf ); 
CpDatalndex) +- Type; 

else 

return ( ANLZ_ERR NODES BUT NOT ENOUGH DATA ); 
1 " " " 

// Ok » decode ok, or not the first bits partition. 

else // No bits partitioning: 
I 

if ( (DWORDXDaUSize - Datalndex) >- (DWORD)Type ) 
if < ( pNode->pBits — NULL ) R 

^ ( ( pNode->pBit* I- NULL > ( pNode->pBits->|>First — NULL ) ) ) 

DecodeAndCoovertSingleFteld ( pFictd. &p Dattf Data Index |, P Field->DecodedBuf V 
CpDatalndex) +- Type; 
♦pMuitipIes- I; 

) 

) 

else 

^ return ( ANLZ_ERR_NODESjBUTJNOT_ENOUGH_DATA ); 
break; //Ok 

case MF.SPEC1FIHD: •pMultiples - pFieid->MultPanmieteT; 

if ( DataSize - Datalndex >- ((•pMultiples)»Type) ) 

if ( 'Decode AndConvertMuJtFteld ( pFteld. ♦pMttltiples, ApData(DataJndexJ ) ) 

j return ( A N LZ_ERR_DECO DE_BUF_TOO_S MALL ); 
^ CpDatalndex) 4- (< ^Multiples) 'Type); 
else 

return ( ANLZ_ERR_NODES_BUT_NOT_ENOUGH OATA V 
break; ~" * 



MK MODE: 



*P M «« lli Pl« " NodeValueAaDWORD ( P FieW->pM a llNodfe ) + pFicld->MtiltP. n » M ~ - 
•f ( DataS,« - Datalndex » ((•pMultrpMHype) ) >MttliPax»nieter. 



if ( !DecodeAiidConvertMiiltField ( pField, •pMultiples, ApDataJDatalndex] ) ) 

// DEBUG_ERR ( " DeeodeField: MF NODE - but decode buf too small I -V 
return ( ANLZ_ERJt_DECODE_BUF~TOO_SMALL); ' * 
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} 

(♦pDatalndex) +- (pFidd->Type) • (*pMultiples); 

) 

else 

return ( ANLZ ERR NODES_BUT_NOT ENOUGH DATA ); 
break; 

/ • * * ••••••••••••/ 

/•" The following types applied only for TF_BYTE Type only •/ 

/ *•»•••**••«•••••••«••••• 

i 

case MF_TILLJEND: ir ( (intXDataSize - Datalndex) < KpFteld->MultPaxaineier/*Nagabve value*/) ) // Not enough bytea I ( 
MultParameter is -delta from end ) 
( 

♦pMultiples - 0; 

return ( ANLZ_ERR_NOT ENOUGH DATA TILL END); 

) 

- 'pMultiples - DataSize - ( Datalndex ) + pField->MultParamcter/*Nagative value V; 
if ( ! Decode AndConvertMuJtFieid ( pField, ♦pMultiples, &p Data (Data Index] ) ) 
( 

return ( ANL2 ERRJ3ECODE BUF TOO SMALL ); 

) 

(•pData Index) =» DataSize + pFteld-> MultParameter, 
break; 

case MF_FTND: /•*•••••••••••••••••••••••••••••••••••••••••••••••••••••••••/ 

/• p Data Index will be updated only if pattern was found. •/ 
/• For fragmented data, search will be made again and again V 
/ • till pattern found or error (timeout or frame to big) •/ 

•pMultiples - 0; 

while ( Datalndex < DataSize ) 

i 

, DeeodeAndConvertSingleField ( pField. StpDnta[ Data Index], &pField->DecodedBulX*pMuldp!e3| ); 

Datalndex++; 

if ( pFidd->DecodedBiif{ 'pMultiples) — (BYTE)pFieid->MultParameter ) 

(*pMultip!es)++; 

"pDala Index - Datalndex; 

return ( 0 ); // Ok, decoding success. 

(*pMultiples)++; 

) 

return ( ANLZJiKR^PA ri ERN^NOT.FOUNU ); 

case MF_DECODE: /••••••••••••••♦••♦•.♦••••••••♦.•.••.•.•••••••.•..•.••.•••••♦♦•♦•••..•.•.♦,.. / 

/• External decoding function involved: Decode and increament pDatalndex. V 
/• DecodeFuncState is static - if last time decoding function hasn't been •/' 



: decoding 1 

/* finished, this variable maintain the last state. •/ 
/* Notice: single channel cannot use two decoding function processing 
/• in parallel f •/ 8 



// Debug check: 

if ( pField->pDecodec>pDecodeFunc — NULL ) 

DEBUG_ERR(-No decoding function P); 
return ( ANLZ ERR UNEXPECTED ); 
} ~ 



RcvSize - DalaSize - Datalndex; // Obtain remain bytea 

DecodeFuncState » pField->pDecode->pDecodeFunc( 
DecodeFuncState, 



\5 



0128060A1_I_> 



SUBSTITUTE SHEET (RULE 26) 



WO 01/28060 



PCT/ILOO/00639 



&pData[Dataiodex], 
ARcvSize, 

pFieM->DecodedBuf, 
^DecodeFunclndex, 
pFielo^>MaxDecodedBulSize. . 
p Fidd->pDecode'>SutkStortgc); 

// pDatalndex is allways mcreaimmted: 
•pDatalndex - Datalndex + RcvSize; 

switch ( DecodeFuncState ) 

{ case DEC STATE COMPLETE: 

DecodeFuncState- DEC_STATE BEGIN; // Prepare for next time 

// further decoding/convert is performed on the decoded buffer fcjdT 

DecodeAiidConvertMultFteld ( pFicld, DecodeFunclndex, P Field->DeeodedBuf ), 

•pMuItiples - DecodeFunclndex; 

DecodeFunclndex - 0; 

break; // Ok decoding complete 1 

case DEC STATE_ERR_SYNC: 

DecodeFuncState - DEC_STATE_BEGTN; // Prepare for next time. 
DecodeFunclndex - 0; 

return ( ANL^_ERR_DFUNCJ3UT_OF_SYNC ); 

case DEC_STATE ERR_FCS: 

DecodeFuncState - DEC_STATE_BEGIN; // Prepare for next lime. 
DecodeFunclndex - 0; 

return ( ANLZJ£RR_DFUNC_INVALID_FCS ); 

case DEC_STATE ERR_TOO_BIG: 

DecodeFuncState - DEC JSTATE_BEG!N ; // Prepare for next time. 
* DecodeFunclndex - 0; 

return ( ANLZ_ERR_DECODE_BUF_TOO_SMALL >; 

default: return ( ANLZ_ERR_DFUNC_NOT_FTNlSHED ); 

} 

break; 

default : DEBUG ERR ( " DecodeField: Unknown Field* Mult I 
return ( A NLZ_ERR_UN EXPECTED ); 

) 

return < 0 ); // Ok, decoding success. 

) 

,»••*••*•••••••••••*•• •*••••«*••••«•••••«•••••••••••••••*••••••••••••• 

• NAME: TOuuinelProtocolAiiaiyzerrMatchMultField 

• DESCRIPTION: Match on all multiples of a field. 
• 

• pFierd - new protocol layer. 

• pin Data - Node's non analyzed data bytes (yet not decoded) . 
*" Multiples - Multiples of field. 

• 

• RETURN VALUE: Return TRUE for match or FALSE for no match. 

• NOTES: This routine does not handles a decoding function 

• Size of In Data always remains the same as OutData. 



bool lastcall I LhannelProtocol Analyzer ::MatchMultHe!d ( Kl _PrUJl U_Ht£LD pHeld, DWORD Multiples, Kl__S YNC_V ALUE 

pSyncVal ) 
1 

DWORD i; 

BYTfc KieldSize, *pOutData; 
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U" ( pSync Val->Syne !» SF_ALL ) // step in only if need 
I 

FieldSize - pField->Type; 
pOutData - pField->DecodedBuf; 

for ( i - 0; i < Multiples; i++ ) 

// Event if there is only one that doesn't match -> return FALSE: 
if ( IMatchSingleField ( pFidd, pSyncVal, pOutData ) ) 

returnl FALSE ); 
pOutData +■ FieldSize; 

} 

1 

retum< TRUE ); // Ok all bytes matches 

I 



• NAME: TChannel Protocol Analyzer :MatchBits 

• DESCRIPTION: Match bits partition node. 
« 

* p Field - new protocol layer. 

4 » pBits - Node' Specific bits info. 

* Multiples - Multiples of field. 
• 

• RETURN VALUE: Return TRUE for match or FALSE lor no match. 

♦ NOTES: This routine is applied only if pBitfl I- NULL. 



bool _fastcall TChanne 1 Protocol Analyzer: MrtchBrtJ ( PTJ»ROTO_FIELD p Field, PT_BITS pBitt, PT_SYNC_VALUE 

pSyncVal ) 

I 

BYTE •pOutData, •plnData, ShiftR, ShiftL; 
DWORD Triple; 

if ( pBits->pFirst = NULL ) 

ptnData - pField->DecodedBuT; // first partition: 
else 

plnOata - pBits->pKirst->pField->DecodedBuf; // not the first partition: 
pOutData - pBits->DecodedBits; 

/♦ prepare DecodedBits bufTer so that it will contain specified bits •/ 
/* boun dries: */ 

r v 

/* Ex: prepare bits index 5 to 9: •/ 

/* , •/ 

/•bits.. 0,1,2,3,4,5,6,7.8,9,10,11,12,13.... V 

/• •/ 

/• InData: X,X;X,XXM,l.0.U X, X, X.'... •/ 

P OutData: 1,1,!, 0,1, 0.0,0,0,0,0, 0, 0, 0 ... •/ 

/• •/ 

/• operation: I. shift left till end. V 

/• 2.shift back right till start V 

/•• # * •••••••••• / 

//ShiftR - 7 - ToBiUndex; 

//ShiftL - 7 - ( ToBnlndex - FromBitlndex ); 

switch ( pFtefd-> 1 ype ) 
I 

case TFJ3YTE. 
ShiftL - (BYTEX7 - pBits->ToBitIndex); 

ShiftR - (BYTEX7 - ( pBit*.>ToBitlndex - pBits^FroniBitliidcx )); 
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•(BYTE *>pOutData - (BYTEX (BYTEX C<BYTE ^plnDaia) « ShiftL ) » ShiftR ) ; 
break: 

sc TF_WORD. 

ShiftL - (BYTEX15 - P Bii3-> ToBitlndcx); 
ShiftR - (BYTEX » 5 - ( pBits->ToBitIndex - pBtta->FroTTu3itlndex )). 

•(WORD pOutData - (WORDX (WORDX C(WORD *)plnData> « ShiftL ) » ShiftR ) . 
break; 
caseTF TRIPLE: 

Triple - plnDatalO] ♦ (plrtDatall)«S) ♦ (plnDatal21«16); 
ShiftL - (BYTEX*-* • pBits->ToBitindex); 

ShiftR - (B YTEX23 • ( pBtt3->T oBttlh dex - pBits^FromBitlndex )); 
Triple - ( Triple « ShiftL ) A OxfrHrT; 
Triple «> ( Triple » ShiftR ); 

p OutDala|21 - (B YTEX(Triple» 1 6) A OxfO; // most 
pOulDatall I ~ (BYTEX(Triple»8) & Oxll); // middle 
pOutData(O) - (BYTEX(Triple) A OxfT); " 
break; 
ca« TF DWORD: 

ShiftL - (Br 1T£)(3 1 - pBits->ToBrtlndex>; 

ShiftR - (BYTEX31 - ( pB»ts->ToBitlndex - pBits->FromBitIndex )); 
♦J DWORD *)pOutData - ( (DWORDX (* (DWORD *)pInData) « ShiftL ) » ShiftR ) ; 
break; 
ease TF_.LARGE: 

ShiftL - (BTYTEX63 - pBits^>ToBittodex); 

ShiftR - (B YTEX63 - ( pBits->ToBitIndex - pBits->FromBitlndex )); 

•(UINT64 «)pOutData ~ (U1NT64X (UINT64X (*(UINT64 •felnData) « ShiftL ) » ShiftR ) ; 
break; 

default : DEBUG_ERR ( " MatchBits: Unknown Type ! return ( FALSE ); 

\ 

return ( MatchSingleh ield ( pFteld, pSyncVal, pOutData ) ); 

) 



• NAME: TChimneipTOlocolAnalyzer::MatchSingIenetd 

• DESCRIPTION: Match for s single specific fleW. 
• 

• pFietd - pointer to field. 

• pSyncVal - pointer to synchronization record. 

• pOutData - pointer to next position of converted and 

• decoded buffer. 
• 

• RETURN VALUE: Return TRUE for match or FALSE for no match. 

• NOTES: This routine does not handles a decoding function 

• Size of In Data always remains the same as Out Data. 
Calling function must ensure ther's enough decoded 

• buffer space. 



boo! _fastcall TCharmcIr^ocolAjuuyzer::MatchlSingleField ( PT_PROTO_MELD pField, PT_SYNC_VALUE pSyncVal, BYTE 

* pOutData ) 

( 

PT_SW!TCH_V ALUE pSV; // pointer to Switch Value structure 
DWURD Triple; 

/ 

/• Process: •/ 

/• V 

/* try to match according to synchronization info. V 

t ••••••••• •••••••••••••••••/ 

switch ( pField->Type ) 
i 

case I r_BYTE: switch ( p$yncVal->Sync ) 
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( 

case SF ALL : return ( TRUE ); 

caseSF_FIXED : if ( •(BYTE *)pOulData — # (B YTE *)pSyncVal->Fixed ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF_RANGE : if < ( •(BYTE ♦)pOutData >- A (B YTE *)pSyncV8l->LLimit ) && 
( *(BYTE •)pOutDat* «c- '(BYTE *)pSyncVal->HLimrt ) ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF_MASK : if ( •(BYTE •)pOutData& *(BYTE *)pSy!»cVa1->Mask ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF^S WITCH : pSV - pSyncVal->pFirst; 
while (pSVH NULL) 
< 

■ if ( •(BYTE •) P OutData — •(BYTE •)pSV->Fixed ) 

return ( TRUE ); 
pSV-pSV->pNext; 

> 

return ( FALSE ); // no match 

no match SF ~ FCS DEBUO - ERR < " MatchSingleField (TF_BYTE): SF_FCS not handled I"); return (FALSE); // 

match dCftU,t DEBUG_ERR ( - MatehStngleFteld (TF_BYTE): Unknown Sync value return (FALSE); // no 

) 

case TFJWORD switch ( rjSyncVa!->Sync ) 

case SF_ALL : return ( TRUE ); 

*5F_FIXED : if{ •{WORD •) P OutData — •(WORD ')pSyncVai->Ftxed ) 
return ( TRUE ); 
return ( FALSE ); // no match 
: SF_RANGE : if ( ( •(WORD •) P OulData >- •(WORD *)pSyncVal->LLitnit ) &A 
I *(WURD •jpOutData <- •(WORD -)p$yncVal->H Limn ) ) 
return ( TRUE ); 
return ( FALSE ); // no match 
:SF_MASK : if( •(WORD •)pOutDati & •(WORD •) P SyucVal->Mask ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF^S WITCH : pSV - pSyncVel->pFim; 
while (pSV I- NULL) 

if ( *<WOR£> *)pOutData — »(WORD •)pSV.>Ftxed ) 
return (TRUE); 
^ pSV-pSV^pNexi; 

cr „ rctu ™ ( FALSE ); // no match 
nomatch — SF -«* = DEBUG_ERR ( " MatchSingleField (TF_WORD): SF_FCS not handJed !"); return (FALSE); // 

match drfaUU : DEBU G_ERR ( - MatchSmgleFieW (TF_WORD): Unknown Sync value I"); return (FALSE) // no 

) 

case TF^TWPLE: Triple - pOutData(O) + (pOutData[ I J«fl) + (pOutData|2]«l6V 

//Nc^cet^41hbyteofeachpSvncVtrfieldrm« '* 

JS^ 12 ? m c!sc DW ^W> comwkmtsinvabcl 
switch ( pSyncVaJ->Syoc ) 

case SF_ALL : return ( TRUE ); 

case SF_F1X£D if ( Triple — '(DWORD •JpSyncVaJ^Frxed ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF^RANGE : if ( ( Triple >- •(DWORD *)pSyncVal.>LLimrt ) 

iJ np! /™i DWQRD •*>SvncVaJ->HUmrt ) ) 
return ( TRUE ); 

return ( hALSt);// no match , 
caseSF_MASK : if ( Triple ft # (DWOIU3 •)pSyneVal->Mask ) 
» return ( I RUE ); 9 

pr FALSE); //no match 

caseSF.SWMCH : p5 V - pSyncVaJ-^im; 
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while (pSV I- NULL ) 
< 

if ( Triple — •(DWORD *)pSV->Fixed ) 

return ( TRUE ); 
pSV - pSV->pNext; 

) 

return ( FALSE ); // no match 
case SF_FCS : DEBUG_ERR ( * MatchSingleField (TFJTRIPLE): SF_FCS not handled 1 '); return (FALSE); // 

no match 

• default : DEBUG_ERR ( " MatchSingleField (TFJTRIPLE): Unknown Sync value I"); return (FALSE); // no 

match 

) 

case TF_OWORD: switch ( pSyncVal->Sync ) 
case SF_ALL : return ( TRUE ); 

case $F_F1XED : if ( ♦( DWORD •)pOutData — •(DWORD •)pSyncVal->Fixed ) 
return ( TRUE ); 
return ( FALSI- ); // no match 
case SF_RANGE : if (( ♦(DWORD *)pOutData >- •(DWORD •fcSyncV a l->LLiniit ) AA 
( •(DWORD •jpOutData <- •(DWORD •)pSyncVaf->H Limit ) ) 
return ( TRUE ); 
return ( FALSE ); // no match 
case SF_MASK : if ( •(DWORD •)pOutData A -(DWORD •) P SyncVal->Mask ) 
return ( TRUE ); 
return ( FALSE ); //no match 
case SF_SW!TCH : bSV - pSync Val->pFirst; 
while ( pSV !- NULL ) 
( 

il ( •( DWORD •^OutData — •(DWORD •JpSV->Ftxed ) 
return ( TRUE ); 
^ pSV-pSV->pNext; 

return ( r ALSfc ); // no match 

//no match cascSF - FCS ' DEBUG__ERR ( • MatchSingleField (TF_DWORD): SF_FCS not handled P); return (FALSE); 

default : DEBUG_ERR ( - MatchSingleField (TF_DWORD): Unknown Sync value P); return (FALSE); // 

no match 

\ 



case TF JJJRGE: switch ( pSyncVaU>Sync ) 



case SF ALL : return ( TRlJIE ); 

case SF_FIXED : if ( •(UTNT64 •) P OutData — *(UINT64 •) P SyncVal->Frxed ) 
return (TRUE); 
return ( FALSE ); // no match 
: SF_RANGE : if( ( /(UINT64 •) P OutData>- •(U1NT64 -frSyncVal^LUmit >&& 
( *(UINT64 •)pOutData <- •(UTNT64 •)pSyncVal->HLimit ) ) 
return ( I RUK ); 
return ( FALSE );// no match 
? S>_MASK : ,f ( •(UIN164* •) P OutDaU A ^UlN 1 54 •) P SyncVal.>Mask ) 
return (TRUE); 
return ( FALSE );// no match 
case SF_SW1TCH : pSV - pSyncVal^pFtrtt; 
while (pSV I- NULL) 

if ( •(UINT64 •)pOutData — ♦(UINT64 *)pSV.>Ftxed ) 
return ( TRUE ); 
^ pSV - pSV^pNext; 

return ( FALSE );// no match 

no nVatch ' UEBU "-***< " MatchSmgfeFteM (TF_LARGE): SF^FCS not handled P); return (FALSE); // 

match <fcftU,t : »»WLI»R C • MatchS ing leK,eld ( I K.LAKGE): Unknown Syno value P); return (KALSb*); // no 

1 



default : 

I 



DEBUG_ERR ( - MatchSingleField: Unknown Type I "); return ( FALSE ); 
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• NAME? TChaimdrVotocx>lAiudyz^ 

• DESCRIPTION: Decode and convert all multiples of Rdd. 

• AJso verifys that DecodedBuf is big enough to 

• contain decoded data. 

• pFteld - field to convert. 
Multiples - Multiples of field. 

• plnData - Node's non analyzed data bytes (yet not decoded) . 

• RETURN VALUE: TRUE for ok, or FALSE for field's DecodedBuftoo small. 

• NOTES: This routine does not handles a decoding function 

• Size of In Data always remains the same as OotData. 
• 

^nDSttT" 11 TCh ^ c,Prot ^ ol ^ a, > w " ( PT.PROTO.FIELD pField, DWORD Multiples, BYTE 

( 

DWORD t; 
BYTE FieldSize: 
BYTE 'pOutData; 

FieldSize — pField->Type; 
pOutData * pField-> DecodedBuf; 

ir( Multiples • FieldSize > pFie!d->MaxDecodedBufSize > 
remm( FALSE ); ' 

// Scan all data (according to Multiples): 
for ( i - 0; t < Multiples; i++ ) 

DecodeAudConvertSingleFiefd ( pField, pin Data, pOutData ); 
plnData +- FieldSize; 
pOutData FieldSize; 

^ retum( TFLUE ); 



• NAME: IChanndProtocolAiuu^ 

• UkSCRiri 1UN: Decode and Convert Single multiples ot a specific Held. 
I prteld- held to convert. 

Sw^"^ 00n T 81 ^ ^ (y« »ot decoded). 
pOutData - Node s analyzed and decoded data bytes. 

• KITURN VALUE: None. 

• NOTES: TO* routine does not handles a decoding runctkm 

V Z n T "Jways r «»ains the same as OutData 
Calling function must ensure dice's enough decoded 
buffer space. 

^15?^ ( rrjwwi ■ HHLU m .p.„0.„. by i t 

/"•**«•»•*««• aaeeaaaaaaaaa MM# «. MtM . # « 4###M# 

/^Process: * 
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I t op> to out buTler according to bits' order: •/ 
/•2 Perform internal decoding operation (if BYTE). V 
' * 

iw«c* f pf *ctd->Type ) 
I 

i TF_BYTV pOutData(O) - plnData(O); 

tMch C pField->Convert ) // Special conveniens for BYTE Type: 
case CON_NO_CONVERT : break; 

case CON_ ADD : pOutDatalOJ +- pField-XZonverlVal; break; 
caseCON_SUB : pOutData(0| -« P Field->ConvertVal; break; 
**** ^_NOT_LOGlC : pOutDatalOJ - (BYTEMpOutDatalO|); break; 
caseCON_OR_LOG!C : pOutDatafO] hpFidd->ConvenVal; break; 
case CON_AND_LOGlt : pOutData|U) £r*ieJd->Convcft Val; break; 
case CON_XOR_LOGIC : pOutDaU(0| ^pField^ConvertVal; break; 

c^CON_NANU LOGIC: pOutDatalO! - <B Y TEX-KpUutUatalUr A prield->Voovert Val)); break 
**** : DEBUO.ERR(-r>«odeAndCc«vertSm8!eF«eld:Unk^ 



caw TF^ WORD tl f pField->BitDir — BD_MSB FIRST ) 
• I " Motorola like (Big indian) -> swap ~ 
p<>4D«aJ0| « plnDataH); 
pOwDatail|-p!nDau(0); 

eftc 

•tWORD # )pOutData - *(WURD 'ft* In Data; 
Hi**** { pl '* ,d * >Convcrt > " $P*n*t convemons for WORD Type: 



" easeCUN_NO CONVfcRT: break; 

// ^mSn^r ^PJ* 0 * 0 " - >Fie!d->CotivertVal ; break; 
J«^ ; C b^ NAND - LO ° IL : (WORD *)POutD«t- -MnWORD -^tData A •(WORD 

£ default: DEBUG_ERR ( • HxodeAndOmvertSingleFietd: Unknown Convert type T); break; 



- . ^ ,,(pKlc,d >H,tL>,rraMU MSB nnri 

I //Motorola like (Big indian) ->lwan ~ 

POutDatalOJ - plnUataTil; 

P°«Data[l]-.plnDatafl|; 
^ pOwDatal2|-D!rtDataf01; 

c4se 
I 

pOutDatafO) - ptnData(O); 
pOutDatal > 1 - pin Data I 1 1- 
^ pOwDataI2|-plnData|2i; 

break; 

;TFJ , W ,?I!? if ^ Fic ^BitDir-BD MSB FIRST) 
< //Motorola like(B,g .ndian) -> swap ~ ' 

pOutDatafOJ - pbiDataf3J; 

DUutUatal 1 1 - plnUatal2|; 

pOutDala(2)-pI„Datafl|; 
) pOutData(31-plnData|U|; 

ehc 
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•((DWORD *)pOutData)- ♦((DWORD «)pmData); 
break; 

case 1K_LARGE: if ( pField->BttDtr — ■ BD_MSB_FIRST ) 
( // Motorola like (Big indian) — > swap 
pOutData[0j « plnData[7]; 
pOutData j 1 j » pin Data [6]; 
pOutData(2) - p!nData(5J; 
pOulData(3) - pinDeta(4]; 
pOutDatal4] - plnDataf 3]; 
pOutData[5) - plnData(2]; 
pOutData[6) = p(nData(lj; 
pOutData(7) - plnData(O); 

> 

else 

•((UINT64 *)pOutData) - *((UINT64 »)pInData); 
break; 

default : DEBUG_ERR ( " DecodeAndConvertSingieKteld: Unknown Type 1 "); 

) 



I •••••••••••••• *•••#•**««*•*••••*•••*•••*•••••••••••••••*••••«•• 

* NAME: rCharmelProtoootAnaiyzer:CheckNodeCooditions 
* 

* DESCRIPTION: Checks all conditions in a given node. 

* RETURN VALUE: None. 

* NOTES: Called upon analysis synchronized on pNode. 

void _fastcall TChannelProtocol Analyzer: :CheckNodeCondibons< PT PROTO_NODE pNode, DWORD Multiples ) 

register PT_HOOKED_CONDmONS pHookedCondition - pNodeopFirstHookedCondition; 

// Scan all conditions... 

while ( pHookedCondition f~ NULL ) 

( 

pHookcdCondition->pOnCheckConditionFunc( pNode, pHookedCondition->pConditionNode, Multiples ); 
pHookedCondition - pHookedCondh>on->pNext; 



• NAME: TCharmdProtocolAnalyzer :CheckProtocolCcwdm<xis 

• DESCRIPTION Checks all conditions m a given protocol. 

• RETURN VALUE: None. 

• NOTES: Called upon analysis synchronized on p P ro toco l. 

void _Jastca!1 TOiarmelPTOtocoI Anaryzer::Chet^ PTJPROTOJTREE pProtocol ) 

register Kr_HOOKHD_CONOl HONS pHookedCondition - pProtrjcoU>pKu^Hooked^ondinon; 

// Scan all conditions... 

while ( pHookedCondition I- NULL ) 

\ 

pHookedCondition->pOnCheckCorjdition5unc{ pProtocol, pHookedCondition->pCondition Node, 0/*Muttiplcs are dummy*/ 
pHookedCondition - pHookcdUondrtion->pNext; 
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\ 



• NAME: TChannelProtocolAnalyr«r:NodeV«itteAtDWORD 

• DESCRIPTION: Retuens node's first decoded value converted to DWORD. 
« 

pNode - protocol node &om which to peek decoded value. 

• RETURN VALUE: None. 



NOTES: None. 



DWORU fa steal! ICharmel Protocol Analyzer:: NodeValueAsDWURD ( IM_ PRO I O.NOUK pNode ) 

I 

BYTE # Buf; 

if ( pNode->pBits ) 

Buf - pNode->pBits«>DecodedBits; 
else 

Buf* pNode->pFidd->DecodedBuf; 
switch ( pNode->pViefd->Type ) 

{ casiTF BYTE: return ( (DWORDK'UBYTE ')BuO) ); 
case TF~WORD: return ( (DWORDX* ((WORD ^Buf)) ); 
case I Y~ X RiPLE: return ( (OWORO)BuflOl + 

(((DWORD)Buil 1 1>«8) + 

U(OWORD)Bufl2|)«l6)); 
case TF_DWORI> return ( *((DWORD •)Buf> ); 
case TF LARGE: return K (DWORDX # UUtNT64 ^Bul)) ); 

default' DEBUG_ERR { m Node Value AsDWORD: Unknown Type ! ); return (0), 

) 

) 



tfpragrna package(sTnart_init) 
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